Tim Hortons App Violated Laws In Collection of 'Vast Amounts' of Location Data

An anonymous reader quotes a report from CBC News: The federal privacy commissioner's investigation into the Tim Hortons mobile app found that the app unnecessarily collected extensive amounts of data without obtaining adequate consent from users. The commissioner's report, which was published Wednesday morning, states that Tim Hortons collected granular location data for the purpose of targeted advertising and the promotion of its products but that the company never used the data for those purposes. "The consequences associated with the App's collection of that data, the vast majority of which was collected when the App was not in use, represented a loss of Users' privacy that was not proportional to the potential benefits Tim Hortons may have hoped to gain from improved targeted promotion of its coffee and associated products," the report read. The joint investigation was launched about two years ago by the Office of the Privacy Commissioner of Canada in conjunction with similar authorities in British Columbia, Quebec and Alberta. It came after reporting from the Financial Post found that the Tim Hortons app tracked users' geolocation while users were not using the app. According to a presentation to investors shared in May, the restaurant chain's app has four million active users. Tim Hortons was using a third-party service provider, Radar, to collect geolocation data of users. In August 2020, Tim Hortons stopped collecting location data. However, the investigation found that there was a lack of contractual protections for users' personal information while being processed by Radar. The report describes the language in the contractual clauses to be "vague and permissive," which could have allowed Radar to use the personal information collected in aggregated or de-identified form for its own business. [...] The report states that Tim Hortons also agreed to delete all granular location data and to have third-party service providers do so as well, as per recommendations from the privacy authorities. The company also agreed to establish a privacy management program for its app and all future apps to ensure they are compliant with federal and provincial privacy legislation. Given these remedies, the report found that while the Tim Hortons app was not compliant with privacy laws, the company has since taken measures to resolve the issues. "We've strengthened our internal team that's dedicated to enhancing best practices when it comes to privacy and we're continuing to focus on ensuring that guests can make informed decisions about their data when using our app," a statement from Tim Hortons released on Wednesday said.

Read more of this story at Slashdot.